OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] Trouble Verifying the XML Digest


Scott,

I am currently canonicalizing the XML before I hash it with SHA1.  The
library I'm using is XMLCanonicalizer Version 1.01, which I am getting
from a ruby gem.  This is patched from the original release based on the
SAML2Ruby library published by Sun.  Here is the code that I'm using.
Thanks for you help.

# remove signature node
      sig_element = XPath.first(@xmldocument, "//ds:Signature",
{"ds"=>"http://www.w3.org/2000/09/xmldsig#"})
      sig_element.remove
      
      #check digests
      logger.info("checking digests") if !logger.nil?
      XPath.each(sig_element, "//ds:Reference",
{"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) do | ref |          
        uri = ref.attributes.get_attribute("URI").value
        logger.info("URI = " + uri[1,uri.size]) if !logger.nil?
        hashed_element = XPath.first(self,
"//[@ID='#{uri[1,uri.size]}']")
        logger.info("hashed element = " + hashed_element.to_s) if
!logger.nil?
        canoner = XML::Util::XmlCanonicalizer.new(false, true)
        canon_hashed_element =
canoner.canonicalize_element(hashed_element)
        logger.info("canon hashed element = " + canon_hashed_element) if
!logger.nil?
        hash =
Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
        digest_value = XPath.first(ref, "//ds:DigestValue",
{"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
        logger.info("hashed_element_hash = " + hash) if !logger.nil?
        logger.info("digest_value_element = " + digest_value) if
!logger.nil?
  
        valid_flag = hash == digest_value 
        return valid_flag if !valid_flag 
	end

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu] 
Sent: Wednesday, December 16, 2009 10:17 PM
To: Mark Fruhling; saml-dev@lists.oasis-open.org
Subject: RE: [saml-dev] Trouble Verifying the XML Digest

Mark Fruhling wrote on 2009-12-16:
> It's my understanding that the digest should be the
> assertion => SHA-1 Hashed => Base 64 encoded.

To a degree, but that grossly oversimplifies how you verify an XML
Signature, specifically the "assertion => hash" part. That requires XML
Canonicalization. You can't just feed the XML directly into a hash,
there's
virtually no chance you'll end up with the same octets.

(Maybe you know that, but when people ask questions like that, they
usually
don't.)

-- Scott




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]